Free SSL certificates and how to install on nginx in 10 steps
Here how you can get free SSL cerificates using Let’s Encrypt. Forget about the expire of certificates using the auto-renewal script. A complete reference to install a Let’s Encrypt certificate is this Digital Ocean’s howto. Here there’s a quick guide based on it, plus some additional suggestions. Here we go!
Let’s Encrypt
this Digital Ocean’s howto
The following code download the script and make it executable. (1)
cd /usr/local/sbin # CentOS cd /usr/local/bin # Ubuntu / Debian wget https://dl.eff.org/certbot-auto chmod a+x /usr/local/sbin/certbot-auto
Logout and login again to make the certbot-auto script available as a command without typing the entire path.
The following code create a path for ssl certificate. Change /usr/local/etc/my/files/path/ssl_cert with a path for where you’ll store certificates, you can select a path not in your document root. (2)
mkdir /usr/local/etc/my/files/path/ssl_cert
Now edit your /etc/nginx/conf.d/mysites.conf and add this into the server {…} directive to make available example.com/.well-known url (3):
server { listen 80; server_name example.com www.example.com mysite.com www.mysite.com; location ^~ /.well-known { alias /usr/local/etc/my/files/path/ssl_cert/.well-known; allow all; } location / { # redirect all other path to the HTTPS version return 301 https://www.mysite.com$request_uri; } }
At this time you’ve to make available .
Check syntax and reload nginx:
nginx -t systemctl reload nginx
Now execute the script to install certificates for your domains. Remember to use the command with -d domain-without-www -d www-domain in this order. (4)
Install all needed dependencies for your system (via yum on RedHat based distro and apt on Debian based) Generate a valid certificate
certbot-auto certonly -a webroot --webroot-path=/usr/local/etc/my/files/path/ssl_cert -d example.com -d www.example.com -d mysite.com -d www.mysite.com
An auto check will be performed and you will get a Congratulation message.
Now generate a strong Diffie-Hellman group with this command (5):
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Check syntax and if ok reload the nginx server to apply changes and . (6)
nginx -t systemctl reload nginx
Auto-renewal
A certificate will be valid for a short period of time, e.g. 3 months.
To auto-renew the certificate for all of your domains, you should add the auto-renewal command to cron.
You can read how to renew certificates on cron here.
read how to renew certificates on cron here
Enable SSL on nginx
To enable SSL on nginx, if you have already a mysite.conf file mapped for uncrypted connection on port Inside the /etc/nginx/conf.d directory, copy the file as mysite**\_ssl**.conf and:
Change all occurrences of:
to:
In this way nginx will listen to 443 port on SSL. Ensure you have this port available externally (firewall and/or Selinux audit2allow). (8)
In the original file, mysite.conf, you can delete all entries but you have to keep the well-know part (step 3). This will avoid errors by Let’s Encrypt script.
Add and enable cyphers. Here there’s a good cyphers list, reliable for compatibile but secure using TLS only. (9)
compatibile but secure using TLS only
server { # the port your site will be served on listen 443 ssl; # the domain name it will serve for server_name example.com; # substitute your machine's IP address or FQDN ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; ##### Cyphers and SSL fine tuning ##### ssl_protocols TLSv1 TLSv1 TLSv2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; ##### END Cyphers and SSL fine tuning ##### # charset utf-8; etc... }
Test nginx syntax with:
and then reload nginx to apply changes (10), on CentOS:
Update 12/2018:
Better than using the acme authentication, you can use the standalone mode. This mode requires to stop the server first, then certbot will put up a webserver to verify the domain and get the certificates, all in a single command using –pre-hook and –post-hook to put down nginx.
sudo certbot certonly --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d example.com
https://web.archive.org/web/20170227000000*/https://letsencrypt.org/
https://web.archive.org/web/20170227000000*/https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
chmod a+x /usr/local/sbin/certbot-auto </pre> <p>Logout and login again to make the certbot-auto script available as a command without typing the entire path.</p> <p>The following code create a path for ssl certificate. Change /usr/local/etc/my/files/path/ssl_cert with a path for where you’ll store certificates, you can select a path not in your document root. (2)</p> <pre class=
} } </pre> <p>At this time you’ve to make available .</p> <p>Check syntax and reload nginx:</p> <pre class=
https://web.archive.org/web/20170227000000*/https://chirale.org/2017/09/26/certbot-auto-renew-letsencrypt-certificate-on-cron/
https://web.archive.org/web/20170227000000*/https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Secure_Server_Design